Overview

overview

10

Static

static

3

8a11f4d34a...45.exe

windows7-x64

10

8a11f4d34a...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145.exe

  • Size

    767KB

  • MD5

    ba46ae626df58081d056cda82d2673c6

  • SHA1

    8c1c5e42666e0eaebbcd25f267252fe0256669f8

  • SHA256

    8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145

  • SHA512

    0065bd971f8f356a9d1c82d1ac75678323952dd4e25ea2ce046d4eaf1bcc3a7dca747170ff21d6d42b6cb939c9001283c8eb783c11e553d86dbbf0d00859bb00

  • SSDEEP

    12288:pBGp4OBr2ASjaGFi8XBaXq38AInxP2pEDZkHZu/WnTCzweGgOjTi9YLINsADQ75t:pB8BWUXqsb52pEDZ06Wno0gOvVZ75

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/raud/get.php

Attributes
  • extension

    .mzhi

  • offline_id

    64GZgS7xxeK837qu1w0KPUK0sweaDoAeJlv15vt1

  • payload_url

    http://colisumy.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-sxZWJ43EKx Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0797JOsie

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 14 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Downloads MZ/PE file
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145.exe
    "C:\Users\Admin\AppData\Local\Temp\8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145.exe
      "C:\Users\Admin\AppData\Local\Temp\8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\3b4a6e66-20b4-4f84-9703-682de7e1f221" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2912
      • C:\Users\Admin\AppData\Local\Temp\8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145.exe
        "C:\Users\Admin\AppData\Local\Temp\8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Users\Admin\AppData\Local\Temp\8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145.exe
          "C:\Users\Admin\AppData\Local\Temp\8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    bd46f6294e3241292aedafa99a6faa58

    SHA1

    1b246fd791f94e2bbddea358b976afbbbe20f735

    SHA256

    1a88895998b0b7162dfc150f588fcb3ae6846d3b91591eb024c6824eff7a5a25

    SHA512

    2486c1a6aec0154c74918fcf6470d16aabafd5a60c33c5204a309ee54a60f01c63d462a66667b16a4fdba57741e0e5bbf0fb7c5a3a498f98d8cffbbe3914e58f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    724B

    MD5

    8202a1cd02e7d69597995cabbe881a12

    SHA1

    8858d9d934b7aa9330ee73de6c476acf19929ff6

    SHA256

    58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

    SHA512

    97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    d7cb2a0768f299c3a56d25077770a463

    SHA1

    df25d81a77883e7fff09beb76d51e7821aa6047f

    SHA256

    f892172ac301193941c5986ed5b4d292451eafb4ea3dd6890c55bc1652098822

    SHA512

    9c1428816aad590dd15cb9bd8de75c774bc6f0efb8b61db41cf2e5d045ea2caf677191d743d55c78b28a1a48ba5ea043710ddaf8b995299d4cd097c92a25b8c1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e37e29058c01132db4683d3b580ef451

    SHA1

    2da18e21416e781696f46049e12387198a2443a6

    SHA256

    8b22044eba12d2606405951556cc74fcd51976f869dfcc4cf09e384e12f799b6

    SHA512

    09c4cd64055a85038c9fba882f40f9b783d39ab6311bf379f7c3b5e612b9e668134575ebc24713025873c455723dc31a9ffd685d510b17bdebbcc815ec47c0d6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    392B

    MD5

    ddd167c1889565280f26333556af94b5

    SHA1

    a03ff65995b48eff22f8335604979f39fc1cbb19

    SHA256

    fea0efad299af05c5c13ccb2339e8e6d258eee39273ddbc0fe2c521de2af8ebb

    SHA512

    8fbd68f247c8f59e75ff9819fee8bedd483eba6b5a2883f733e1ebaad920274f81b33bc44a4780983b8ddb5b18dc53514744c74ccdc115af82fd387247e51b15

    Download Submit

  • C:\Users\Admin\AppData\Local\3b4a6e66-20b4-4f84-9703-682de7e1f221\8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145.exe
    Filesize

    767KB

    MD5

    ba46ae626df58081d056cda82d2673c6

    SHA1

    8c1c5e42666e0eaebbcd25f267252fe0256669f8

    SHA256

    8a11f4d34a4ba7afea677810458e7aa6d31983f4dcd20d5eb5cff0c48f192145

    SHA512

    0065bd971f8f356a9d1c82d1ac75678323952dd4e25ea2ce046d4eaf1bcc3a7dca747170ff21d6d42b6cb939c9001283c8eb783c11e553d86dbbf0d00859bb00

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3C84.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit

  • memory/1988-0-0x00000000002A0000-0x0000000000331000-memory.dmp

    Filesize

    580KB

    Download

  • memory/1988-6-0x00000000002A0000-0x0000000000331000-memory.dmp

    Filesize

    580KB

    Download

  • memory/1988-1-0x0000000001D20000-0x0000000001E3B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2560-8-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2560-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-4-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2560-29-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2560-26-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2560-7-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2832-39-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2832-123-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2832-138-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2832-139-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2832-143-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2832-145-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2832-146-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2832-147-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download